lightning talk: idascope · lightning talk: idascope author: daniel plohmann subject: 24.10.2012 @...
TRANSCRIPT
© Cyber Defense Research Group, Fraunhofer FKIE
simpliFiRE.IDAscope An IDA Pro extension
for
easier
(malware) reverse
engineering
Daniel Plohmann, Alexander [email protected]
© Cyber Defense Research Group, Fraunhofer FKIE
2
Some
words
about
myself
Personal background
PhD
student
and researcher
at University of Bonn & Fraunhofer FKIE
Research focus: Reverse Engineering
Work
focus: malware
analysis
and botnet
mitigation
Projects
Author
of 2011 ENISA Botnet
Study
[1]
PyBox
[2]
Userland-hooking
framework
(with
Felix Leder)
AntiRE
[3]
An Executable
Collection
of Anti-Reversing
Techniques
[1] http://www.enisa.europa.eu/act/res/botnets/botnets-measurement-detection-disinfection-and-defence[2] http://code.google.com/p/pyboxed
[3] https://bitbucket.org/fkie_cd_dare/simplifire.antire
© Cyber Defense Research Group, Fraunhofer FKIE
3
Current StatesimpliFiRE.IDAscope
© Cyber Defense Research Group, Fraunhofer FKIE
4
IDAscope
… in a nutshell
An IDA Pro extension
for
easier
(malware) reverse
engineering.
Motivated by the current workflow of working with IDA Pro.
Repeat: „Identify
relevant parts
of the
binary; tear
apart; document
findings.“
Common tasks:
Malware RE usually
starts
with
the
corner
pieces: strings, API calls, signature
hits, …
API calls
are
a good indicator
for
function
semantics.
Reoccurring
need
for
looking
up things
in MSDN.
Switch
windows
time and time again…
C&C communication
schemes
are
of high interest!
Find and understand
cryptographic
routines
used.
Idea:
Provide
automation/integration
of „helpers“
that
assist
with
regularly
performed
tasks.
1
2
3
© Cyber Defense Research Group, Fraunhofer FKIE
5
IDAscope
Overview
Functionality
organized
in tabs
Main window
can
be
dragged
around
like
every
other
IDA view.
© Cyber Defense Research Group, Fraunhofer FKIE
6
IDAscope: Features
1) Function Inspection
Tagging
of functions
Based
on API calls
APIs
can
be
specified
via config
Renaming
with
tags possible
Example
DownloadToFile
consists
of API calls
tagged
with
File and Network
© Cyber Defense Research Group, Fraunhofer FKIE
7
IDAscope: Features
1) Function Inspection
Coloring
of basic
blocks
Based
on API semantics
Colors
can
be
adjusted
More
an experiment
:)
Sysinfo/Registry
Network
File Access
Memory
Access
Execution
Crypto
Multi
© Cyber Defense Research Group, Fraunhofer FKIE
8
IDAscope: Features
1) Function Inspection
Code to function
conversion
Function
prologues
get
handled
first
Then
remaining
undefined
areas
Opens
these
code
sections
to further
analysis
© Cyber Defense Research Group, Fraunhofer FKIE
9
IDAscope: Features
1) Function Inspection
Automatic renaming
of wrapper
functions
Credits
go
to Branko Spasojevic
(author
of Optimice) for
providing
the
code!
© Cyber Defense Research Group, Fraunhofer FKIE
10
IDAscope: Features
2) WinAPI
Browsing
Seamless
integration
of MSDN in IDA Pro
accessible
via shortcut
on highlighted
elements
Now
also with
online lookup!
But
not
multi-threaded
/ no backgrounded
lookups
yet
© Cyber Defense Research Group, Fraunhofer FKIE
11
IDAscope: Features
3) Crypto Identification
Identification
of cryptographic
/ compression
routines
Based
on ratio
of arithmetic
/ logic
instructions
to all instructions
in a basic
block
Approach described
in „Dispatcher: Enabling
Active
Botnet
Infiltration using
Automatic Protocol
Reverse-
Engineering“
by
Juan Caballero
et al.
© Cyber Defense Research Group, Fraunhofer FKIE
12
IDAscope: Features
3) Crypto Identification
Identification
of cryptographic
/ compression
routines
Based
on ratio
of arithmetic
/ logic
instructions
to all instructions
in a basic
block
Approach described
in „Dispatcher: Enabling
Active
Botnet
Infiltration using
Automatic Protocol
Reverse-
Engineering“
by
Juan Caballero
et al.
Example: Citadel
string
decryption.
1) 3 AritlogInstructions
/ 9 Instructions
= 33% rating2) 9 instructions3) 0 calls4) Is
a looped
basic
block
=> Matches above
parameters
© Cyber Defense Research Group, Fraunhofer FKIE
13
Future PlanssimpliFiRE.IDAscope
© Cyber Defense Research Group, Fraunhofer FKIE
14
IDAscope: Future Plans
4) Threads / Function Relationship
Threads
and function
call
chains
are
a good indicator
of functionality
A „big
picture“
would
be
very
helpful.
My opinion: We
need
something
better
than
this
(WinGraph) or
step
by
step
navigation
via xrefs.
Same function
scope
as IDA graph
(IDAPython
API has limited
graph
support), not
much
better:..
© Cyber Defense Research Group, Fraunhofer FKIE
15
IDAscope: Future Plans
4) Threads / Function Relationship
Threads
and function
call
chains
are
a good indicator
of functionality
Same displayed
as tree, generated
with
Alex‘
script
[4]
CreateThread
Call 0x40bc39StartAddress
(lpStartAddr)sub_40B868
sub_40EFD1memset_0sub_412CCD
SomeCryptoDecryptBaseConfig
memcpy_0CustomRc4
strlen_0MultiByteToWideChar_0
* Call MultiByteToWideCharPathCombineW_0
* Call PathCombineWsub_42E8FC
* Call RegOpenKeyExWsub_42E87F
* Call RegQueryValueExWalloc
* Call HeapAlloc* Call RegQueryValueExW
HeapFree_0* Call HeapFree
* Call RegCloseKeysub_42B5EA
sub_42AB6Fsub_42AABC
sub_42AC65sub_41115Asub_41117C
sub_411268
sub_41278Fsub_412757
sub_42EC57sub_429426
strlen_1* Call StringFromGUID2
* Call CreateMutexWsub_42DCD7
* Call WaitForSingleObject* Call CloseHandle
sub_4110E9sub_412C33
* Call PathRenameExtensionW* Call PathRemoveFileSpecWsub_4303C9
* Call PathSkipRootW* Call GetFileAttributesW* Call CreateDirectoryW
sub_42DC0Csub_42B9CE
* Call GetCurrentThread* Call OpenThreadToken* Call OpenProcessToken* Call LookupPrivilegeValueW* Call AdjustTokenPrivileges* Call GetLastError* Call CloseHandle
* Call ConvertStringSecurityDescriptorToSecurityDescriptorW* Call GetSecurityDescriptorSacl* Call SetNamedSecurityInfoW* Call LocalFree
* Call GetFileAttributesW
?
Use
a TreeWidget
for
rendering?
[4] http://hooked-on-mnemonics.blogspot.com/2012/08/ida-thread-analysis-sript.html
© Cyber Defense Research Group, Fraunhofer FKIE
16
IDAscope
Conclusion
Start using
it! :)
Repository
at
http://idascope.pnx.tf
(points
to: https://bitbucket.org/daniel_plohmann/simplifire.idascope)
I report
about
updates
in my
blog: http://blog.pnx.tf
on twitter
@push_pnx
Alex has a blog, too: http://hooked-on-mnemonics.blogspot.com
Send feedback
or
ideas
for
improvement!